[EP_X0FF]

Blackhole which is distributing this ransom moved to new host, also ransom was redesigned, renamed (LokoMoTO) and got fresh refined crypter. Be aware this trojan trashes Windows SafeMode by renaming corresponding root keys.



Runs from
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

In attach todays 3 binaries extracted from BH EK + unpacked one.

[GMax]

Number to call: 79198021633
Unlock code: 534227775

[EP_X0FF]

Main and only one BH EK server distributing this ransom, enjoy 91.202.244.134. For last year they're moving in range of 91.202.2XX.XXX periodically in 4-5 months changing binary GUI and enabling/disabling ransom ability to be unlocked. This service is bulletproof and seems only serves as malware hosting. Todays payload in attach.

[thisisu]

renamed (LokoMoTO) and got fresh refined crypter.

If you don't mind me asking, is it referred to as LokoMoTO because of of this line of code (from your unpacked.ex_)?

Code: Select all

CODE:004175B4 WindowName      db 'LokoMoTO',0

Is WindowName the key here in giving you the alias?

Trying to understand a bit better for example, why wouldn't the string h0xA be an alias?

Code: Select all

CODE:00417810 aH0xa           db 'h0xA',0

Simply because WindowName isn't near it in the code? :?

Thanks

[EP_X0FF]

Yes because of main window name title string. Initially it was named WindowsSecurity, now LokoMoTo. How things in current version IDK - their crap distribution server didn't resolving and old IP also don't respond :)

[EP_X0FF]

Fresh LokoMoTo dropper pulled from SweetOrange exploit pack they now use (Blackhole was too expensive?). Notice that because this malware created in Delphi it is impossible to tell exact time/date of compilation - Delphi linker puts wrong information in PE structures (1992 for header and 1970 for Import Table datetime stamps).

[Aleksandra]

MD5: 343082c9c79af26d287a979d6369e93c
SHA1: c9794db333367cd3f6702693a822f22f29706591
https://www.virustotal.com/file/1b194cf ... /analysis/

[EP_X0FF]

Fresh LokoMoTo + decrypted

SHA1: 0adef55f8e9e2da27c5f1c0abdb739a0291ab0b5
https://www.virustotal.com/file/ff0813f ... /analysis/

landing: hxxp://1.hotpornedojitube.ru/x/
Redirector: hxxp://adavysalu.ru/

[EP_X0FF]

189b654b6f2c81c09305856a3d904a36ad3d588f
1c36f99204b510af78f8046b74eb0c832a40fed3
6f7da8738ffe46c9aa31c6f07bdb46270d99cdd1
797faaaf50a01276a084a871e3be708773c213d8
896fa4a91125e1534b42de8f0b29d995ecf595f0
9837b683967c5d5eded813065af17990496ae0a8
c5475fb6d4a785e2613a34e7f9235bb66a45649e
faa11eea29b3ba6d1aa7602275e37424b5b1e044

Lokomoto from jan - feb 2013

[360Tencent]

paper from sophos

http://www.sophos.com/en-us/medialibrar ... df?dl=true